From broad AI law to narrower ADMT rules
Colorado AI Act screening compliance changed direction when the original broad law stalled under a constitutional challenge. The earlier framework treated most artificial intelligence used in hiring as a high risk system, imposing detailed risk management, impact assessments, and algorithmic discrimination controls on both developers and deployers. That expansive approach to high risk systems in Colorado would have covered many background check platforms, résumé scoring tools, and automated interview systems.
Under the first version of the law, any algorithmic system that made or materially supported consequential decisions about employment would have triggered strict requirements. Developers and deployers high in the value chain would have needed a formal risk management policy aligned with the NIST RMF, regular impact assessments, and documentation of reasonably foreseeable and foreseeable risks. The Colorado attorney general was empowered to enforce these requirements, treating failures in risk management for a high risk system as potential unfair or deceptive practices.
That regime is now gone, replaced by SB 26-189 and a narrower focus on automated decision making technology used for consequential decisions in hiring. The new law still targets algorithmic discrimination and harmful risks algorithmic systems can create, but it no longer mandates broad algorithmic impact assessments or a full risk management programme for every covered system. For HR technology leaders, Colorado AI Act screening compliance now centres less on proving formal risk system governance and more on transparent decisions, clear notice, and defensible documentation.
What SB 26-189 covers and what it leaves out
SB 26-189 introduces the concept of automated decision making technology, narrowing which systems fall under Colorado AI Act screening compliance. The law focuses on systems that make or substantially assist consequential decisions, such as hiring, promotion, or termination, while excluding general purpose tools like calculators, spell checkers, and simple databases that do not shape employment decisions. For background check trends, this means that scoring engines, automated adjudication rules, and algorithmic résumé filters are in scope, but basic data storage systems are not.
Under the new law, deployers and developers must understand when their artificial intelligence tools cross the line into consequential decision making. If a system automatically recommends adverse action based on criminal records or credit data, it likely qualifies as a high risk system for employment, even if the statute no longer uses that exact label. Developers deployers working together must map where algorithmic logic influences a consequential decision, document the data inputs, and assess reasonably foreseeable risks of algorithmic discrimination.
Unlike the original CAIA style framework, SB 26-189 does not require formal impact assessments for every risk system, but it still expects disciplined risk management. Employers building a multi state audit framework that scales for background check compliance will need to align Colorado’s narrower requirements with more expansive regimes in places like California, Illinois, and New York City. The attorney general retains authority to investigate whether deployers high in the hiring chain used systems in ways that created unlawful discrimination, and whether their management policy and documentation provide an effective affirmative defense.
Three operational obligations for screening programmes
For HRIS and HR technology managers, Colorado AI Act screening compliance under SB 26-189 now turns on three operational pillars. First, employers must give applicants clear notice before using automated decision making technology in background checks or other screening decisions, explaining what system is used, what data it relies on, and how it may affect consequential decisions. Second, when an automated tool contributes to an adverse consequential decision, candidates must receive an explanation and a meaningful human review option.
Third, deployers must retain records for at least three years, including data about system outputs, key decisions, and any internal impact assessment or risk management analysis. This record retention requirement pushes organisations to log how artificial intelligence tools influence each consequential decision, which risk systems were active, and how foreseeable risks were mitigated. For many employers, that will require tighter integration between ATS, CRA, and HRIS platforms, as well as secure document workflows and secure ID card processes, such as those described in guidance on how to choose the best ID card printer for secure background checks.
These changes shift the focus from formal bias audits toward transparency, traceability, and defensible processes when using algorithmic systems in hiring. Vendors that can show disciplined management policy, alignment with NIST RMF style practices, and clear documentation of risks algorithmic tools pose will give clients stronger grounds for an affirmative defense if challenged by the Colorado attorney general. Employers that align their background check systems with these expectations, while monitoring federal developments and other state laws, will be better positioned to manage high risk use cases and maintain trust in automated screening.